Affectiva, a company that utilizes its facial-recognition software to measure reactions to advertisements and videos, addresses potential privacy concerns with its methods in a recent Advertising Age feature. While the company usually works with “opt-in” volunteers in a method akin to a focus group, it also places “huge emphasis on analyzing ads ‘in the wild,’” the article reports. Says Affectiva CEO Ken Denman, “We keep the metadata. We discard the image.” Unnamed Affectiva executives also confirmed that the company reserves its real-time analysis for “public venues” in which the individuals “are already being filmed.” [Full Story]
IMAGES of hundreds of thousands of Scots are contained on a controversial facial recognition database that is being used by the national police force, raising fresh fears over civil liberties. Officers have admitted to using the special technology, which attempts to identity faces captured on CCTV and other images, on more than 400 occasions. In addition, Police Scotland said it has uploaded hundreds of thousands of mugshots onto a UK-wide police database used as a the main resource for facial recognition searches. Details of Police Scotland’s use of the technology were revealed in response to a Freedom of Information request. Independent watchdog Alastair MacGregor, the UK’s Biometrics Commissioner, has warned it may include hundreds of thousands of images of innocent people, raising questions about privacy. MPs on the Commons science and technology committee said they were “alarmed” to learn facial recognition technology could be used on pictures of innocent people. The database has continued to grow despite a High Court ruling in England which called on some forces to revise their procedures. [The Sunday Herald]
According to New Scientist, researchers found that volunteers’ brains had a reaction to each of 75 acronyms (e.g., FBI, DVD) in a way that was unique to each individual. The difference between the volunteers’ brain reactions was enough for the system to pinpoint their identities with accuracy of up to 94%. The study, from Neurocomputing, is titled – appropriately enough – Brainprint. The work was done by a group of researchers from the Basque Center for Cognition and Binghamton University. This isn’t the first time that unique brain activity has been looked at as a potential authentication factor. [NakedSecurity]
The Grocery Store Project was created by Simon Høgsberg using one camera to photograph 97,000 people outside a supermarket over a 21-month period. “Then he used facial recognition software to create a pedestrian survey of the people rushing past for his interactive series,” the report states, which “documents the intersecting lives of people who pass by each other almost daily, and it creates a fascinating ‘map’ showing how these lives converge.” The project “weaves together 457 people who happened to walk in front of his lens.” In all, he’s “identified and named 11,000 individuals,” the report states, noting only two people “said they didn’t want to be photographed,” and if anyone asked, Høgsberg told them he was “making a visual analysis of the Danish culture.” [Wired]
Alessandro Acquisti, professor at Carnegie Mellon University, is using his tenure as a Carnegie Corporation fellow to study the negative effects of data tracking-such as racial profiling. Cited as impetus was an October research initiative that found job candidates who identified as Muslim online were considered less for employment opportunities in neighborhoods with a majority of Republican voters. “If the market for information is not carefully regulated, big data can lead to a serious imbalance of power between individuals, whose information can be so easily exploited for profit, at times even unbeknownst to individuals, and companies, organizations and governments that have the upper hand,” said Laura Brandimarte, who coauthored a paper with Acquisti. [Post-Gazette.com]
The use of data for art can take the sting out of “Big Brother,” data artist Laurie Frick argues. Frick, who uses information gleaned from apps and personal journals to create her works, is among a rising coterie of artists who see data as a “metaphor for the human experience,” or more specifically, according to Frick, “an essential idea of who we are.” She tells The Atlantic, “I think people are at a point where they are sick of worrying about who is or isn’t tracking their data. I say, run toward the data. Take your data back and turn it into something meaningful.” [Source] [The Musician Who Sees Life Through the Prism of PRISM]
The Online Trust Alliance (OTA) has announced it is leading an initiative to develop a security, privacy and sustainability trust framework for Internet of Things (IoT) devices. The framework aims to provide clarity and confidence to consumers and will initially focus on connected home and wearable/fitness technologies, according to a press release. OTA hopes to use the framework as the basis for a potential certification program for IoT devices and their manufacturers. OTA’s Craig Spiezle said because of the rapid development of IoT products on the market “we must ensure that security and privacy best practices are integrated to maximize consumer protection.” A working group meeting is scheduled for June 16. [Full Story]
Accenture reports how organizations can preserve and increase the potential of personal data using five principles of corporate digital responsibility: stewardship, transparency, empowerment, equity and inclusion. In a recent Accenture survey of nearly 600 businesses globally, 79% of respondents said their companies collect data directly from individuals—such as online customer accounts, for example—as well as from commercial or data-sharing partnerships, connected devices and third-party data suppliers. “This data generates benefits for both businesses and customers—chief among them being the ability to deliver better customer experiences, enter new markets and make products more innovative,” the report states, noting that, at the same time, regulations are changing and regulators are increasing their scrutiny of businesses’ data practices. [Full Story]
Bill C-51 is just one aspect of the alarming privacy deficit the government has created. In the last 12 months alone we’ve seen stunning revelations about how the government’s spy agency CSE is spying on Canadians’ private online activities, and even on private emails that Canadians send to Members of Parliament. And we’ve seen Justice Minister Peter MacKay’s Online Spying Bill C-13 become law, despite opposition from three in four Canadians. Enough is enough: if there was one message coming through loud and clear from participants in our crowdsourcing process, it’s that Canadians are sick and tired of the seemingly endless series of government attacks on their privacy. The OpenMedia “pro-privacy action plan“ has garnered the endorsement of a diverse group of advocacy and activist groups from across the ideological spectrum, including PEN Canada, the Canadian Constitution Foundation, Greenpeace and the National Firearms Association. And while he says that he hasn’t yet had the chance to review its findings in detail, federal privacy watchdog Daniel Therrien “welcomes” the initiative. “I believe it’s extremely important for Canadians to be involved in the debate around government surveillance and the kind of country we want,” he said in a written statement provided to CBC News. [Rabble: Liberals vs. liberties: Why Trudeau supports Bill C-51] [C-51: Crowdsourced report aims to stop Canada’s slide into ‘surveillance society’ Canada at a ‘tipping point,’ privacy advocates warn] [HuffPost: Could This Be the Antidote to Bill C-51?] . [Canada’s National Security Agencies Need Parliamentary Oversight] [Think anyone’s going to repeal C-51? Don’t hold your breath]
Users of millions of smartphones put at risk by certain mobile browser gaps, Snowden file shows. The case raises questions about whether government agencies, even covert ones, should carry some responsibility for informing citizens of weaknesses they’ve unearthed in devices, operating systems and online infrastructure. Taking advantage of weaknesses in apps like UC Browser “may make sense from a very narrow national security mindset, but it happened at the expense of the privacy and security of hundreds of millions of users worldwide,” says Deibert. “Of course, the security agencies don’t [disclose the information],” says Deibert. “Instead, they harbour the vulnerability. They essentially weaponize it.” For his part, Geist argues that there is an expectation that the federal government will protect Canadians. “We should be troubled by the notion of our spy agencies — and in a sense our government — actively looking for vulnerabilities or weaknesses in the software that millions of people are using,” said Geist. [Source] [How CSE’s existence was first revealed by CBC TV] [Your government is spying on you online. Here’s what you can do about it]
But FINTRAC will also need new oversight, the experts said. If it is tracking every single electronic funds transfer made through Canadian financial institutions, there is a greater risk of privacy breaches, as well as of FINTRAC acting unlawfully or ineffectively. Privacy audits have already shown that, even at the $10,000 threshold, some transactions were inappropriately flagged based solely on race, country of origin or age. And there currently is no independent oversight mechanism to make sure FINTRAC is good value-for-money or that it acts within the law. [Source] [Solicitor Client Privilege in Tax Matters]
CA – Expansion of PIPEDA in Budget Bill Raises Constitutional Questions
The Canadian government’s omnibus budget implementation bill (Bill C-59) has attracted attention for its inclusion of copyright term extension for sound recordings and the retroactive changes to the Access to Information Act. Another legislative reform buried within the bill is a significant change to PIPEDA. The bill adds a new Schedule 4 to PIPEDA, which allows the government to specify organizations in the schedule to which PIPEDA applies. Bill C-59 immediately adds one organization: the World Anti-Doping Agency (WADA), which is based in Montreal. Leaving aside the obvious problem of burying privacy reforms in a budget bill (in fact, privacy, copyright, and access to information all within a single bill with little or no study of those reforms), the change is a potential target for a constitutional challenge. While there have even been some questions about relying on trade and commerce for PIPEDA, particularly after the Supreme Court of Canada decision involving a national securities regulator, there has never been any doubt that PIPEDA applies solely to commercial activities (Privacy Commissioner interpretation bulletin) as that is essential for the constitutional basis for the law. The problem with the Bill C-59 change is that it seeks to extend PIPEDA to non-commercial activities. While PIPEDA provides clear rules for organizations in the context of commercial activity, it does not currently apply to organizations such as the World Anti-Doping Agency, an international, independent organization headquartered in Montreal. [Source]
Health Minister Rona Ambrose said the government will give the Canadian Institute for Health Information nearly $4.3-million over five years to develop a co-ordinated national monitoring and surveillance program. …Several provinces, including Ontario and Nova Scotia, have created prescription monitoring programs, which typically target individuals who visit multiple doctors or pharmacies to get more opioids. The funding will help CIHI work with provinces to enhance data collection and analysis and create a national report on surveillance. [Globe & Mail]
OpenMedia’s David Christopher writes about the organization’s “crowd-sourced pro-privacy action plan,” launched this week. Privacy Commissioner Daniel Therrien has “welcomed” the initiative, CBC News reports. Canada’s Privacy Plan: A Crowdsourced Agenda for Tackling Canada’s Privacy Deficit begins with an introduction suggesting the country’s “growing privacy deficit has alarming consequences for our everyday lives. We’re at a tipping point where we need to decide whether to continue evolving into a surveillance society, or whether to rein in the government’s spying apparatus before more lives are ruined by information disclosures.” The plan includes “common sense” tips for strengthening privacy. [HuffPost] [Canadians to Spy Agencies: Get a Warrant!]
Executive Director Sukanya Pillay of the Canadian Civil Liberties Association says body cameras can be a “good thing for accountability,” but they raise a number of questions that need to be addressed as part of the pilot project. …Pillay said there must be strict controls on how footage is recorded, stored, flagged and accessed in order to protect citizens captured on film. “Strict protocols have to be in place in order for it to serve the function of accountability,” she said. [CTV] [Toronto police start year-long pilot project to test body cameras for officers] [Globe & Mail: Police Start Pilot to Test Body-Worn Cameras]
The Manitoba Court of Appeal has held that the tort of intrusion upon seclusion may allow family members, who have suffered as a result of a breach of a privacy of another family member, to advance a claim in their own right. …It is likely too early to know the significance of the Court’s decision in Grant, as the courts in Manitoba have not yet truly examined if the tort of intrusion upon seclusion can be expanded to give family members of a victim an ability to advance the tort. However, it will be interesting to see how other jurisdictions apply the ultimate ruling in Grant. [Source] See also: [MB: Province readying to unseal adoption records next month]
On February 19th, the Ontario Superior Court of Justice declined to strike a pleading that alleged a company unlawfully interfered with a competitor’s economic relations by receiving confidential information about a client (BC Cancer) that was sought after by both organizations. The Court held that the pleading was sustainable because BC Cancer had an arguable claim against the recipient organization based on the “intrusion upon seclusion” tort, suggesting that the tort is available to natural persons and corporations. As stressed by the Court, on a motion to strike a court errs on the side of permitting a novel but arguable claim to proceed to trial. [Source]
Ontario public sector institutions must meet high standards of care and trust whenever collecting, using and disclosing personal and other sensitive information. Any public institution considering new information technologies, systems, and program services which may affect privacy are strongly encouraged to complete a privacy impact assessment (PIA). A PIA is an organizational risk management tool and a process used to identify the effects of a given process or other activity upon an individual’s privacy. PIAs also serve to identify any risks to the institution. The IPC’s new guide, “Planning for Success“ provides institutions with step-by-step advice on how to carry out a PIA from beginning to end. The new guide will help institutions define scope, engage internal and external stakeholders, understand information flows, identify privacy solutions and prepare an effective PIA report. Beginning a PIA early in a project’s development provides a systematic basis for mitigating privacy risks at every step, and for documenting decisions for accountability and compliance purposes. [Source] [Guide]
A new report from the Pew Research Center reveals that Americans don’t trust the government or companies to protect their privacy. Conducted online in 2014 and early 2015, the survey found that nine in 10 adults value controlling their personal information, but half said they felt they had little or no control of their data. Approximately two-thirds said government surveillance limits are inadequate. More than three-fourths said they did not trust advertisers to protect their data, and two-thirds said they had no confidence social media sites, search engines or video sites would do so either. Additionally, more than half said they did not want to be monitored in public or in the workplace. [New York Times] Another finding from the survey: a majority (65 per cent) of Americans do not believe there are adequate limits on “what telephone and Internet data the government can collect” as part of anti-terrorism efforts vs just under a third (31%) who do believe there are appropriate limits on the kinds of data gathered for these programs. Pew notes that respondents who are more aware of government online surveillance programs are considerably more likely to believe adequate safeguards are not in place; 74% of those who have heard “a lot” about these programs say limits are not adequate vs 62% who have heard only “a little” about the monitoring programs. [TechCrunch: Another Pew Privacy Report Flags Huge Public Mistrust]
As the USA PATRIOT Act’s expiration nears, polls conducted by the ACLU indicate that more than 80% of Americans across party lines are “concerned” about the bill’s privacy implications, while 60% of respondents support “revising” the bill to reflect said concern, Newsweek reports. “The poll results tell us that in order to be more reflective of the public’s views on surveillance and the PATRIOT Act, members of Congress should more fully support reforms,” says the ACLU’s legislative counsel, Neema Singh Guliani. [Newsweek]
Critics—and lawmakers—are wary of NBCUniversal’s announcement it will utilize data from customers’ Comcast DVR boxes to tailor TV advertisements. NBC is calling the initiative an “audience targeting platform,” and the corporation is excited about the possibilities. Comcast said it is “not sharing personally identifiable information about its customers, but simply providing a software tool that allows programmers, like NBCUniversal, to run certain queries,” the report states. The Electronic Frontier Foundation’s Lee Tien said, “I would ask them, ‘How are you technically implementing that?’ Exactly what data is generated in the process, and then how do you process that data in a way that it does not or cannot reveal the things that you say that you’re not trying to reveal?” [International Business Times]
The National Institute for Standards and Technology (NIST) is set to finalize an interagency report that will provide guidance for federal agencies on assessing and mitigating digital privacy risks. “Cybersecurity has come a long way in the last 10 years,” said NIST’s Sean Brooks, while “privacy has really lagged behind.” Brooks added that the framework aims to guide privacy initiatives from compliance to engineering and development staff “and even up to executive staff who are trying to deal with risks and make decisions about funding in order to mitigate those risks.” Transportation Department Chief Data Officer Dan Morgan said, “We can build all the beautiful digital services that we want, but if people don’t trust them, they’re not going to use them.” [Fierce Government IT]
US – IRS System Mined For Over 100,000 Taxpayer Records by Fraudsters
Apparently stolen data from other breaches was used to answer authentication questions. The Get Transcript application, a feature of the IRS’ site that allows taxpayers to download tax return and tax payment transaction data, was apparently targeted by financial fraudsters between February and mid-May. The service was shut down last week as the IRS investigated the activity, which may have been linked to the fraudulent filing of tax returns and transfer of tax refunds. Attempts were made to access over 200,000 accounts; roughly half failed because of incorrect information inputted during the IRS’ authentication process. [Source] [Hackers stole personal information from 104,000 taxpayers, IRS says]
The hard truth? Without a doubt, marketers’ efforts to be CASL compliant hurt subscriber growth rates. …Unfortunately for marketers and consumers alike, spam is still a problem, even as subscriber growth is slowing down. Cloudmark’s most recent study was a real eye opener on the overall drop in Canadian spam and even legitimate email being sent. Sadly, we haven’t seen CASL truly protect Canadians as it was initially intended just yet, considering spam email to Canadians has stayed nearly consistent.
- 37% reduction in spam originating in Canada, the majority of that going to the United States
- 29% reduction in all email received by Canadians, spam and legitimate
- -No significant change in the percentage of emails received by Canadians that were spam. [Source]
Providers, electronic health record developers and health-information exchange operators are “still waiting for new regulations or guidance on electronically handling highly sensitive behavioral health information.” The Substance Abuse and Mental Health Services Administration held a national listening session on possibly updating its rule protecting patients of federally funded drug and alcohol treatment centers, the report states. The rule is seen by some as a barrier to interoperability of healthcare information systems. But patient advocates say patient consent-the aspect that’s seen as a barrier to info-sharing-is an important aspect to the law. The listening session drew mixed comments on whether government should expand access to behavioral health information. [Modern Healthcare]
University of Wisconsin Prof. Thomas Ristenpart describes the traditionally dicey enterprise of encrypting data in the cloud without breaking cloud applications, likening it to pounding square pegs into round holes. “Back in 2009,” he writes, he and other researchers “flipped the problem around.” He and his team created “format-preserving encryption” that can “solve the key usability issues of making it easy to specify a ‘peg size’.” Ristenpart adds, “It’s gratifying to see emerging security technologies bring these types of academic breakthroughs to the cloud security market.” [Full Story]
U.S. Homeland Security Secretary Jeh Johnson said disclosures from Edward Snowden on the NSA’s bulk surveillance programs have “changed the landscape” for encryption services, Politico reports. “We are concerned that with deeper and deeper encryption, the demands of the marketplace for greater cybersecurity, deeper encryption in basic communications … It’s making it harder for the FBI and state and local law enforcement to track crime, to track potential terrorist activity,” he said, adding, “We’ve got to find a solution to this, and we’re thinking about this very actively right now.” His remarks come after the House of Representatives voted to formally end the NSA’s bulk telephony data collection. [MSNBC]
Tens of thousands of HTTPS-protected websites—8.4% of the world’s top one million sites—as well as mail servers and other Internet services are currently vulnerable to a newly discovered attack that allows adversaries to eavesdrop on communications and downgrade encryption levels. The vulnerability, called Logjam, resides in the transport layer security protocol used by mail servers and websites to encrypt connections with users, the report states, and is a result of export restrictions mandated by the U.S. government in the 1990s so agencies could break foreign users’ encryption. “Logjam shows us once again why it’s a terrible idea to deliberately weaken cryptography, as the FBI and some in law enforcement are now calling for,” said one researcher. [Ars Technica]
Under the Defence Trade Control Act (DTCA), Australians could face up to ten years in prison for teaching encryption. Criminal charges will go into effect next year. The new legislation will make it illegal for Australians to teach or provide information on encryption without having a permit. [Source]
Tens of thousands of HTTPS domains contain a vulnerability in the transport layer security protocol that the sites use to establish encrypted communications with users. The Logjam vulnerability can be exploited to access and modify data traveling through encrypted connections. The problem can be traced to export restrictions the US government imposed twenty years ago. [ZDNet] [Wired] [DarkReading] [Ars Technica] [Weakdh]
Visa has agreed to increase pay to banking institutions when they have to reissue cards in the wake of data breaches. Visa will reimburse on a tier system, with more help going to community institutions than the larger brands. The reimbursements will work on an annual card-purchase volume. There’s been an ongoing debate between merchants and banking institutions over who should be held accountable for card fraud. While banks say retailers should be held accountable for expenses related to breaches in which they hold some responsibility, retailers say the interchange fees they pay to card brands to route transactions are meant to cover breach-related expenses. [Bank Info Security]
Tech behemoths including Apple and Google and leading cryptologists are urging President Obama to reject any government proposal that alters the security of smartphones and other communications devices so that law enforcement can view decrypted data. In a letter to be sent Tuesday and obtained by The Washington Post, a coalition of tech firms, security experts and others appeal to the White House to protect privacy rights as it considers how to address law enforcement’s need to access data that is increasingly encrypted. “Strong encryption is the cornerstone of the modern information economy’s security,” said the letter, signed by more than 140 tech companies, prominent technologists and civil society groups. [Source] [Apple, Google and More Bring Privacy Fears to Obama]
EU ambassadors have agreed to a draft text proposed by Latvia—which currently holds the rotating presidency of the EU—that would implement three levels of fines for businesses that violate the EU’s data protection overhaul. The levels range from one-half percent to two percent of an organization’s annual global turnover. Failure to “erase personal data in violation of the right to erasure and ‘to be forgotten’” would be included in the second category of a one-percent fine. If all of the sections of the reform proposal are agreed upon, EU ministers could endorse the entire text at their mid-June meetings, the report states, and trialogue discussions between member state representatives and the European Parliament would commence. [EurActiv]
Winning approval for both binding corporate rules (BCRs) and cross-border privacy rules (CBPRs) takes significant work. But to demonstrate compliance, many of the administrative hurdles are the same. That’s why, as companies increasingly turn to BCRs and CBPRs as data transfer mechanisms, an EU/APEC working group has approved a plan for increased interoperability by making it easier for companies to comply with both BCRs and CBPRs all at once. “The idea is that organizations will be able to submit the single questionnaire to both EU DPAs, whose approval is needed for organizations to be granted BCRs, and to APEC Accountability Agents, whose approval is needed to be granted CBPRs.” [Full Story]
Ahead of a European Council meeting on proposed cybersecurity rules, France, Germany and Spain are hijacking the debate in hopes of using the rules to “boost control and surveillance over Internet companies, claiming they are critical to their economies and communication networks.” The proposal requests that Internet firms offer “greater transparency” to the EU and that firms outside the EU “report security breaches to national regulators in each member state,” similar to the burden placed on European telecom companies. “Nevertheless,” the report states, “the proposed rules will likely add to the long list of disputes pitting European authorities against U.S. tech firms.” [Politico]
The Belgian Privacy Commission published the first part of its recommendation after investigating Facebook’s data processing activities. Much of it justifies why Facebook is subject to Belgian law, it also reveals some important insight on the regulatory interpretation of the EU Data Protection Directive’s applicable law principles and highlights the growing concern around “forum shopping.” Tim Van Canneyt outlines the applicable law tests and offers measures multinationals can take in their approach to compliance with EU law, noting, “While it … makes sense to create an EU subsidiary to fulfill a data-controller role, it is not sufficient to simply ‘nominate’ one on paper.” [Privacy Tracker] Facebook Global Deputy Chief Privacy Officer Stephen Deadman says the one-stop-shop mechanism in the proposed General Data Protection Regulation is “in danger” and speaks from experience of the likely consequences for the EU if the one-stop shop is rejected or seriously watered down. Phil Lee says the General Data Protection Regulation will not prevent forum shopping because “businesses don’t choose their homes based on data protection alone.”
Following up on an announcement last month, Twitter officially made Ireland its global legal center. The move affects all non-U.S. Twitter users, according to a statement on the move. “It’s possible that Twitter may be anticipating a change in Safe Harbor because of recent developments and the direction European authorities are taking,” said Daragh O’Brien, adding, “If so, it would help them to have a single defined office.” The Office of the Irish Data Protection Commissioner (DPC) said it won’t have a new mountain of work, however, a separate Irish Independent report states. DPC Helen Dixon said that “even though Twitter users up to last week were signed up under ‘Twitter Inc.,’ we would always have seen ourselves as responsible.” [Irish Independent]
EU – New Telecom Law Proposed
In Germany, telecommunications and Internet companies “could once again be forced to store customer traffic and location metadata for police investigation purposes, five years after a previous data retention law was declared unconstitutional.” Under a draft data retention law released Wednesday, providers would be required “to store call and Internet traffic metadata for a maximum of 10 weeks while location data would have to be stored for four weeks,” the report states, noting German’s government believes “it strikes the right balance between freedom and security in the digital world.” [PCWorld]
Almost half of the population don’t know who to go to for advice on protecting their personal data online. When asked who they would go to for advice on protecting their data, only 1% named the ICO while almost half (45%) of the 1,222 respondents said they ‘don’t know’, a poll by ComRes found. 35% said they would ask the Citizens Advice Bureau, 15% said they would search online while 13% would ask a lawyer. [ComputerWorld]
Facebook is facing a wave of probes by European regulators into its privacy practices. The Belgian report, which was released Friday, is part of a broader effort by privacy regulators in several European countries to examine new privacy policies Facebook implemented this year for use of data from its services, which include Instagram and WhatsApp, to target advertising. The review is being led by authorities in the Netherlands and includes watchdogs in France, Spain and Germany. Belgium’s Privacy Commission, in its 28-page report, said Facebook processes the personal data of its members as well as other Internet users “in secret,” without asking for consent or adequately explaining how the data would be used. [WSJ] [The Belgian Commission for the Protection of Privacy has released a lengthy “recommendation” that outlines its beliefs as to why it has competency to regulate Facebook.] [ECJ Ruling Could Invalidate Safe Harbor: Opinion] SEE ALSO [Belgian authorities have taken Skype to court because it refused to allow two suspects’ Skype calls to be tapped. Skype says it isn’t subject to wiretap legislation]
EU – Other News
- Germany’s new draft data retention bill includes provisions for the retention of phone and Internet data for 10 weeks and mobile phone geolocation data for four weeks and a requirement that the data remain within Germany.
- EU ambassadors have agreed to Latvia’s draft text that would implement three levels of fines for businesses that violate the EU’s data protection overhaul.
- A general resolution on profiling activities online, issued in by the Italian Data Protection Authority, is now in force.
- The UK’s high court ruled the government may indefinitely retain the DNA of adults convicted of crimes without illegally breaching their privacy.
- Dutch Members of Parliament are questioning a proposed law to end data retention.
- France’s new antiterrorism legislation is setting off alarms in Brussels, with questions as to whether the wide-ranging powers it gives French intelligence are within EU law.
WW – Salary Survey Released at Symposium
In conjunction with the IAPP Canada Privacy Symposium, the IAPP released the first regional breakout of its biennial Privacy Professionals Salary Survey. The report offers insight from about 200 Canadian privacy professionals on salary levels according to variables such as privacy experience, certifications, industry, size of organization, gender and more. The survey finds that the median salary for Canadian privacy professionals is $74,005, with the software and services industry topping the scales at $88,648. Also, take a look at data on recent raises and bonuses received and the differences in salaries related to position and acquiring a certification. [Full Story] See also: [Cost of data breaches increasing to average of $3.8 million, new Ponemon study says]
Google and Max Mosley, formerly of Formula One, have settled a long-running legal dispute involving compromising images of the well-known UK figure that were published in 2008. Mosley had urged Google to automatically remove links to the images, but the company had argued that it should remove such links on a case-by-case basis. In many ways, the Mosley case previewed the EU’s so-called right-to-be-forgotten phenomenon. Terms of the deal between Google and Mosley have not been disclosed, but according to the report, suits filed by Mosley in Germany, France and the UK have all been settled. [The Wall Street Journal]
31 states have reached a settlement with credit bureaus Equifax, Experian and TransUnion requiring them to alter the way they handle consumers’ financial and credit history data. Topping the list of changes, the firms must provide the participating states with the lender names and other businesses that consistently share erroneous data. If the states see a spike in consumer complaints regarding inaccurate information, the state attorneys general (AGs) may have the option to investigate. The settlement is similar to one reached between the credit bureaus and the New York AG. Ohio AG Mike DeWine said complaints have risen in the past year, adding, credit bureaus “have a flawed system that cannot effectively work. Changing (that) behavior was (a) No. 1 priority.” [The Wall Street Journal] [ABC News: 31-State Deal Should Make Credit Report Errors Easier to Fix]
CA – Terrorist Activity Financing Indicators Published
Canadian businesses and reporting entities such as financial institutions generally have little experience with terrorist financing and what to look out for to comply with Anti-Money Laundering requirements. As part of the federal government’s broader intelligence efforts to counter these threats, Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) has worked with Canadian law enforcement and national security partners to update indicators of terrorist activity financing – often effected though money laundering. Available for the first time publically, FINTRAC’s updated list highlights actions which could indicate money laundering activities. It red flags transactions where there could be reasonable grounds to suspect a terrorist activity financing offence. Indicators linked to Terrorist Activity Financing
- Client accesses accounts, and/or uses debit or credit cards in high-risk jurisdictions (including cities or districts of concern), specifically countries (and adjacent countries) under conflict and / or political instability or known to support terrorist activities and organizations.
- Client identified by media or law enforcement as having travelled, attempted / intended to travel to high-risk jurisdictions (including cities or districts of concern), specifically countries (and adjacent countries) under conflict and/or political instability or known to support terrorist activities and organizations.
- Client conducted travel-related purchases (e.g. purchase of airline tickets, travel visa, passport, etc.) linked to high-risk jurisdictions (including cities or districts of concern), specifically countries (and adjacent countries) under conflict and/or political instability or known to support terrorist activities and organizations.
- The client mentions that they will be travelling to, are currently in, or have returned from, a high risk jurisdiction (including cities or districts of concern), specifically countries (and adjacent countries) under conflict and/or political instability or known to support terrorist activities and organizations.
- Client depletes account(s) by way of cash withdrawal.
- Client or account activity indicates the sale of personal property / possessions.
- Individual/entity’s online presence supports violent extremism or radicalization.
- Client indicates planned cease date to account activity.
- Client utters threats of violence that could be of concern to national security / public safety.
- Sudden settlement of debt(s) or payments of debts by unrelated third party(ies).
- Law enforcement indicates to reporting entity the individual/entity may be relevant to a law enforcement and/or national security investigation.
- Client’s transactions involve individual(s) / entity(ies) identified by media or law enforcement as the subject of a terrorist financing or national security investigation.
- Client donates to a cause that is subject to derogatory publicly available information (crowdfunding initiative, charity, NPO, NGO, etc.).
- Client conducts uncharacteristic purchases (e.g. camping/outdoor equipment, weapons, ammonium nitrate, hydrogen peroxide, acetone, propane, etc.).
- A large number of email transfers between client and unrelated third party(ies).
- Client provides multiple variations of name, address, phone number or additional identifiers.
- The sudden conversion of financial assets to a virtual currency exchange or virtual currency intermediary that allows for increased anonymity.
For more information on reporting suspicious transaction reports to FINTRAC, click here to access the agency’s Suspicious Transactions guidelines. [Mondaq News]
WW – PCI: 5 New Security Requirements
New Task Force Created to Assist Smaller Merchants. Five best practices noted in version 3.0 of the PCI Data Security Standard will become requirements after June 30, and smaller merchants are likely to be the most affected. That’s because the new requirements relate to point-of-sale vulnerabilities that have commonly been linked to exploits at small and mid-sized businesses. The best practices, which were included when PCI-DSS version 3.0 was released in November 2013, state:
- Merchants should secure authentication and online session management, to help prevent the theft of online credentials;
- Third-party service providers with remote access to POS systems should use a unique passcode credential for each merchant customer;
- Service providers should confirm in writing that they are responsible for the security of cardholder data they store, process or transmit on behalf of the merchant;
- Merchants should regularly inspect POS devices to ensure they have not been “swapped” or tampered with to skim or collect card details;
- Merchants should conduct regular penetration testing through simulated device attack scenarios to exploit known and possible vulnerabilities.
The PCI Security Standards Council says merchants of all sizes are increasingly at risk, and that these requirements reflect areas all businesses should address.[Bank Information Security]
The Open Bitcoin Privacy Project (OBPP) has released what it’s calling the Spring 2015 Wallet Privacy Rating Report to assess the effectiveness of the top 10 most popular Bitcoin wallets in protecting users’ privacy. The wallets underwent 38 privacy tests that were grouped into five categories, and each test was assigned classifications in relation to usability, quality and feedback. Overall, Darkwallet ranked first among the major Bitcoin wallets and was the first to be “explicitly devoted to privacy as a primary design goal,” the report states. Armory ranked second, followed by Mycelium and Bitcoin Wallet. [CoinReport]
FATCA requires foreign banks to reveal Americans with accounts over $50,000. Non-compliant institutions could be frozen out of U.S. markets, so everyone is complying. …More than 80 nations—including virtually all that matter—have agreed to the law. So far, over 77,000 foreign financial institutions (FFIs) have signed on too. Countries must throw their agreement behind the law or face dire repercussions. Even tax havens have joined up. The IRS has a searchable list of financial institutions. Countries on board are at FATCA – Archive. [Forbes] [NYT: An American Tax Nightmare] [Solicitor Client Privilege in Tax Matters]
Over the first three months of this year, the agency’s security and internal-affairs division sent 16,000 employees an e-mail designed to replicate the potentially dangerous messages that are common to anyone with an e-mail account. …The result of the CRA’s test was that 78% of employees did not click on the link contained in phishing attempts. However, that means roughly 3,500 employees did fall for the scam, even though they were informed ahead of time that the test would take place. [Globe & Mail] See also: [What To Do When Your Nonprofit Becomes The Target Of A Phishing Scam]
The Yukon government is refusing to release names and specific salaries of public-sector workers that make more than $100,000. Currie Dixon, the minister responsible for the Yukon Public Service Commission, said in an announcement that doing so would violate the Yukon Access to Information and Protection of Privacy Act. The statement was made in response to a CBC inquiry related to a report on “sunshine lists” that noted, “Government is the top public-sector employer in Yukon, accounting for 40 % of the total jobs … It turns out a sunshine list is not a popular idea with either the territorial government or the union representing its employees.” [CBC] [Source]
Across the country, law enforcement agencies are equipping police and patrol cars with cameras to capture interactions between officers and the public. But many of those police forces, like Gardena’s, do not release the recordings to the public, citing concerns about violating the privacy of officers and others shown in the recordings and the possibility of interfering with investigations. That approach has drawn criticism from some civil rights activists who say that the public release of recordings is crucial to holding police accountable — especially if the officers involved in the incidents are allowed to view the videos. [LA Times]
In a move to hasten research “that could lead to the availability of promising medical treatments and devices,” the House Committee on Energy and Commence has voted unanimously in favor of the 21st Century Cures bill, which looks to remove the patient consent requirement for covered entities to use protected health information (PHI) for academic purposes. The move has raised concerns, however. “The patient control is being relaxed, yet it’s unclear to me where the data will go,” said the Center for Democracy & Technology’s Michelle de Moouy.
Legislation that requires significant changes to the HIPAA privacy regulations could result in “significant administrative hurdles and burdens,” Holtzman says. “For example, if there would be significant changes to when healthcare providers and health plans can use or disclose PHI, they would be required under existing regulations to update their notices of privacy practices,” he says. “As we saw with the implementation of the Omnibus Rule in 2013, there are significant costs in developing and distributing the notices.” If the legislation is approved, it could take some time for the privacy changes to affect healthcare providers and business associates. “If the bill is passed into law – always a big if – it provides HHS with a year to implement the law through regulations,” Greene notes. “Realistically, though, it may take far longer before HHS is able to publish a final rule.” [GovInfoSecurity]
In the Office of the National Coordinator for Health IT’s recently published public comments on its draft for nationwide interoperability, health data privacy and security were top issues for several organizations. The office released Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap Draft Version 1.0 in January, and in the public comments, accepted through April 3, many agencies said they were in favor of interoperability and data exchanges but that providers “must be interoperable without sacrificing patient privacy in the process,” the report states. Intel submitted that privacy and security protections must be addressed holistically through “effective end-to-end security” to protect against exploitations like cybercrime. [HealthITSecurity]
US – HIPAA Audits to Continue
Privacy This Week reports the second phase of the Department of Health and Human Services Office for Civil Rights Health Insurance Portability and Accountability Act audits “is on its way.” [GovInfo Security]
The Department of Homeland Security is requesting that the U.S. Coast Guard (USCG) establish consistent processes for workers’ healthcare record security after audits found the current systems-or lack thereof-troubling. “USCG is limiting its ability to assess risks and mitigate potential for privacy or HIPAA breaches,” says Sondra McCauley, assistant inspector general for IT audits. The crux of the problem, says Chief Information Security officer Ariel Silverstone, CIPT, is that “it appears that no one functionary, even at the assistant commandant level, is responsible for privacy.” Suggested improvements range from increasing communication between HIPPA representatives and the USCG privacy officer to establishing “milestones to ensure the Coast Guard has contingency plans to safeguard privacy in the event of a disaster or emergency.” [Gov Info Security] [10 tips for creating a cybersecurity program]
A $19 million settlement between Target and MasterCard has been terminated. The deal was originally announced in April and would have provided compensation to banks and credit unions that sued over Target’s breach, but the settlement fell through because not enough banks accepted the deal. In their suit, lawyers argued that the deal with MasterCard “was an attempt to undercut their claims for damages,” the report states. Plaintiffs’ lawyers said, “We are pleased that financial institutions have resoundingly rejected Target and MasterCard’s attempt to avoid fully reimbursing the losses suffered during one of the largest data breaches in U.S. history.” [Reuters]
New figures show health privacy breaches are on the rise in Ontario as Brian Beamish recommends prosecuting another incident. This week, the privacy commissioner’s office released its 2014 annual report, showing that 439 health privacy breaches were reported last year, up from 407 the previous year. But, because Ontario does not have a mandatory reporting requirement like that of most other jurisdictions in Canada, hospitals are not obliged to notify the commissioner of privacy breaches. That means those figures represent just the tip of the iceberg, Beamish has previously told the Star. [Source] See also: [The Star: Is enough being done to stop your health information from going public?]
In his first annual report since becoming Commissioner, Brian Beamish expressed support for the adoption of new tools and offers assistance to Ontario institutions to ensure privacy protection and compliance with the law. In Charting a Course for the Future, the Commissioner examines the use of new technologies in programs being implemented across the province, such as electronic health records and body-worn cameras. He also recognizes the enormous possibilities and benefits of Open Government. The Commissioner offers three recommendations for the government to enhance the privacy of personal information and enable the public to access more government-held information. [Source]
New research suggests the average financial or commercial business face multiple attacks per month — and it takes months for data breaches to be detected. According to a survey of 844 IT and IT security practitioners in the financial sector across the US and 14 countries within the EMEA region and 675 IT professionals in the same countries within the retail sector, both industries are struggling to cope with today’s threat landscape. Once a data breach occurs, it takes an average of 98 days for financial services companies to detect intrusion on their networks and 197 days in retail. [ZDNet] [Which States Have a Data Breach Notification Law?]
US – Study: Criminals Find Gold Mine in Easy-To-Access Healthcare Data
Criminals have set their sights on the information-rich healthcare sector, according to findings of the recently released Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data by the Ponemon Institute. According to the FBI, criminals are targeting the healthcare sector because individuals’ personal information, credit information and protected health information (PHI) are accessible in one place, which translates into a high return when monetized and sold. In fact, PHI records can fetch up to $60 to $70 each, as opposed to about $5 for credit cards. The Ponemon study found criminal attacks are up 125% in the last five years and the new leading cause of healthcare data breaches. This represents a major shift of data breach causes from accidental to intentional as criminals increasingly target and exploit healthcare data—particularly medical files and billing and insurance records. [Source]
After a University of Rochester Medical Center (URMC) nurse practitioner transferred to a new facility and took a list of URMC patients to her new employer without their consent, the center is reviewing its privacy policies. URMC CEO Mark Taubman acknowledges that the move was a breach of HIPAA and that reform is in order. “This is a wake-up call. This is a slap in the face saying, hey, there is a system problem here,” he said. “Sometimes you just don’t see these things until you get burned.” The nurse practitioner requested the list citing a desire to use the data as a way to “ensure continuity of care,” the report states. [The Democrat and Chronicle]
Adult FriendFinder’s 3.9 million users’ sexual preferences and personal details were compromised after a hacker posted stolen data. Details of users’ sexual preferences – including whether they are gay or straight, and whether they are seeking extramarital affairs – has been compromised, along with email addresses, usernames, dates of birth, postcodes and the unique internet addresses of users’ computers. The dating site bills itself as a “thriving sex community” where users can share sensitive sexual information. [The Guardian] See also: [After Breach, Experts Question Security of Dating Sites] [San Bernardino: Thousands of people’s credit card info found on computers]
mSpy, a company that sells software that people can use to spy on others, has admitted that attackers broke into its systems and stole data. mSpy had initially denied allegations that its systems were breached. The company says that the breach affects 80,000 customers, not the 400,000 reported in earlier stories. The Tor-based site hosts several hundred gigabytes worth of data taken from mobile devices running mSpy’s products, including some four million events logged by the software. The message left by the unknown hackers who’ve claimed responsibility for this intrusion suggests that the data dump includes information on more than 400,000 users, including Apple IDs and passwords, tracking data, and payment details on some 145,000 successful transactions. [Krebs] [BBC] [More Evidence of mSpy Apathy Over Breach]
CareFirst BlueCross BlueShield has acknowledged that an attack on one of its databases compromised the personally identifiable information of 1.1 million customers. The attack resembles those perpetrated on Anthem and Premera. The affected data include names, birth dates, email addresses, and insurance identification numbers. [Krebs] [ComputerWorld] [DarkReading] See also: [City of Oshawa reports privacy breach after 1,000 rec user e-mail addresses released] In Newfoundland and Labrador, a mailing error has led to a breach, and a fax error sent patient lab results to a business owner rather than to doctors. In Alberta, Calgary police had notebooks stolen from an off-duty vehicle and are now “notifying up to 400 people that their privacy may have been breached.” The Star reports on concerns in Ontario that the regulator for Ontario nurses “does not automatically alert police or Ontario’s privacy commissioner when it becomes aware of cases where nurses may have snooped into patient files.” [Full Story]
Microsoft’s research arm has announced a new technology that aims to protect cloud workloads. Last year, Microsoft announced its lockbox approach to safeguarding cloud data, which puts the customers in complete control of their data and requires consent before even Microsoft administrators can access it. The newly revealed Verifiable Confidential Cloud Computing technology takes a similar approach. [eWeek]
Dropbox has announced it has achieved certification for ISO 27018. “We saw an opportunity to lead in this space and demonstrate our commitment to user trust,” said Patrick Heim, head of trust and security at Dropbox. See also: [UK porn industry preps for mandatory ID checks]
The Privacy Commissioner decided that Grubb’s network data was personal information. Under the Privacy Act …First, Grubb’s network data provided information about Grubb, because the data could be linked with other data held by Telstra’s networks and records to establish what websites he had visited, which was information about Grubb. Second, the Commissioner decided that Grubb’s identity could be reasonably ascertained from network data. By itself, network data such as cell tower location information or IP addresses contained nothing about Grubb’s identity. [Mondaq]
A newly published patent detailing plans by Google for Internet-connected toys has generated concerns. Such products would act as an “anthropomorphic device” in the form of a “doll or toy that resembles a human, an animal, a mythical creature or an inanimate object,” the patent states. One would be a teddy bear that could control Internet-of-Things devices within the home through voice command or gestures. A spokesperson for Big Brother Watch described “the creepiness of the product for families,” adding, “Children’s toys should enable children to play in private and not be watched. It’s important that privacy and security by design is taken into consideration and is not an afterthought particularly when dealing with children.” [CNBC]
In an open letter to Facebook CEO Mark Zuckerberg, detractors of Internet.org-a program that aims to be a free, basic Internet provider for third-world countries-cite concerns about privacy and basic ideology that contravenes net neutrality, among others. “It is our belief that Facebook is … building a walled garden in which the world’s poorest people will only be able to access a limited set of insecure websites and services,” they write. The letter comes on the heels of an early release of Internet.org. “We and our critics share a common vision of helping more people gain access to the broadest possible range of experiences and services on the internet,” an Internet.org spokesperson said in response to the letter. [Mashable]
The Global Privacy Enforcement Network plans to focus its 2015 international privacy sweep on the proliferation of websites and mobile applications targeted at children. The sweep involves 29 data protection authorities in 20 countries. “Children are more connected than ever before, and these platforms must bear that in mind when seeking potentially sensitive data such as name, location or e-mail address,” said Canadian Privacy Commissioner Daniel Therrien. “This is about protecting children. I can’t think of anything more important than that.” The sweep will assess whether the apps and websites examined collect personal information from children and the controls in place to limit that collection. [Source]
A coalition of civil rights and privacy advocacy groups has released a set of guidelines urging lawmakers and law enforcement to curb the use of facial-recognition software and prohibit officers from viewing body-cam videos prior to filing their police reports. The groups also call for the video footage to be made publicly available and not under sole control of law enforcement. Meanwhile, [CNN] See also: [Richmond Hill family traumatized by police raid on their home after falling victim to ‘swatting’ prank]
CA – Police Background Checks No Longer Include Mental Health Incidents
In a step forward for mental health rights, the Toronto Police Service will no longer release records of non-criminal mental health encounters with police — including suicide attempts or other psychological crises — to employers and community groups requesting background checks on potential employees or volunteers. Effective this week, the Toronto police force joins law enforcement agencies across Ontario and Canada halting a practice that civil rights and mental health groups have long been decrying as discrimination affecting a growing number of Canadians. Rights organizations including the Canadian Civil Liberties Association, the Ontario Human Rights Commission and the Information and Privacy Commissioner of Ontario have increasingly been sounding the alarm that Canadians with a history of mental illness — or even a single mental health episode that provoked a police response — have lost employment and volunteer opportunities due to the release of non-conviction mental health records. In a May 20 memo sent to community organizations working with children or vulnerable people, Toronto police announced that effective this week, groups making background checks under the “Vulnerable Sector Screening Program” will no longer receive information about mental health-related contact with police. Prior to the change, Toronto police released mental-health information when asked for it by groups hiring for positions ranging from teaching to coaching to volunteering and more. [The Toronto Star]
In effort to improve relations between police and communities, White House has announced new standards for federal programs in the aftermath of the Ferguson protests. Mr. Obama said police use of such equipment can send the wrong message by intimidating and alienating local residents. [WSJ]
Newly released documents obtained by the ACLU indicate a debate within the FBI over the legality of collecting license plate data. A heavily redacted e-mail written by a senior vice president at Elsag North America, a major producer of the devices, indicates that the Office of General Counsel—or OGC, an internal legal advisory division within the FBI—”is still wrestling with [license plate recognition] privacy issues.” The executive notes that the FBI at that time had “stopped [the bureau’s] purchase” of the cameras “based on advice from the OGC.” [Bloomberg] Wired reports that the FBI’s Office of General Counsel has raised concerns, internally, about the agency’s use of automatic license plate readers (ALPRs). The ACLU’s Speech, Privacy and Technology Project, notes in a blog post that ALPRs “are a sophisticated way of tracking drivers’ locations, and when their data is aggregated over time, they can paint detailed pictures of people’s lives.” [Questions Remain About How To Use Data From License Plate Scanners] [License-Plate Scanners On the Rise]
A federal drug case that “has shed new light on how the USPS law enforcement unit uses something as simple as IP logs on the postal tracking website to investigate crimes.” In the Massachusetts case, which is ongoing, a suspected drug dealer “was found out simply by the digital trail he left on the USPS’ Track n’ Confirm website,” the report states, citing a court affidavit. The USPS’s Stephen Dowd wrote, “The USPS database reflected that an individual using a computer or other device with IP address 126.96.36.199 accessed the USPS Track ‘n Confirm website to track the progress of both the Florida Parcel and Bates Parcel #1.” [Ars Technica]
The Department of Immigration and Border Protection has been granted the power to access the telecommunications data of all Australians after the government quietly amended legislation it passed just two months ago. Under the mandatory data-retention legislation, only a select number of government agencies can access the stored call records, assigned IP addresses, location information, and other telecommunications data for the purposes of investigating breaches of the law. When the Australian Labor Party announced that it would side with the government and pass mandatory data-retention legislation in March, the support came with a number of amendments to the legislation, designed to increase oversight and improve accountability over government access to the stored data. One of the accountability measures was to require the parliament to approve the addition of any new agencies to be allowed access to the stored data. The original legislation only required the attorney-general to add the agencies through regulation. Less than two months after the passage of the Bill, however, another agency has been quietly added to the list: Immigration and Border Protection. The amendment came in the Customs and Other Legislation Amendment (Australian Border Force) Bill 2015,passed by the Australian parliament as part of the overall Australian Border Force legislation to create a “single front-line operational border control and enforcement entity” in the department. The amendment was slammed by Greens communications spokesperson Scott Ludlam, who stated that it would be used by the agency to track down leaks of information from Australia’s offshore detention centres to journalists. “This is the first instance of scope creep. It gives me absolutely no pleasure to say ‘we told you so’, but we did; we said at the time of the data-retention debate that the Bill has scope creep written into it.” Ludlam said that the Bill side-stepped the approval of the Parliamentary Joint Committee of Intelligence and Security to get added to the list of approved agencies. [Source]
A surprising amount of mobile data still crosses the Internet unencrypted, and a new free app is designed to show users what isn’t protected. The program, called Datapp, comes from the University of New Haven’s Cyber Forensics Research and Education Group (UNHcFREG), which last year showed popular Android applications such as Instagram, Grindr and OkCupid failed to safely store or transmit data. The reaction to that study prompted the group to create an application where people could test for themselves which applications don’t encrypt data and exactly what is exposed, said Ibrahim Baggili, UNHcFREG’s director. There are many security tools that can collect wireless data traffic, but they’re usually designed for people with some technical background. Datapp is essentially a traffic “sniffer,” along the lines of network traffic analysis tool Wireshark, but much simpler. [Source]
In a new blog post, the FTC Division of Privacy and Identity Protection’s Nithan Sannappa writes that “improving the usability and efficacy of permission systems remain important challenges to address.” Sannappa examines how “mobile operating systems can help users make informed decisions regarding access requests and minimize information flows that defy user expectations.” [blog]
The FTC has unveiled the agenda for next month’s workshop on The Sharing Economy: Issues Facing Platforms, Participants and Regulators , which will include panels focusing on market design and structure, trust mechanisms and the interplay between competition, consumer protection and regulation for both industry and policy. In other FTC news, Commissioner Joshua Wright expressed harsh words for the agency during a speech, saying recent Internet-of-Things and data-broker reports chose a more “anecdotal approach” over an “evidence-based” one.
WW – Parents Upload 973 Child Photos on Social Media by Age 5: Study
According to the research, carried out by online safety site The Parent Zone on behalf of safety campaign knowthenet, on average 973 photos are posted online by parents before their children turn five, despite 17% of parents admitting they had never checked their Facebook privacy settings. The research also claimed that almost half (46%) had only checked their settings once or twice, despite Facebook being the most common platform for photo-sharing. The campaign claims parents are running the risk of over-sharing and creating a digital footprint their child has no control over. The knowthenet campaign is being run by internet registry site Nominet, whose chief executive Russell Haworth said: ‘We all love to share those precious moments in our children’s lives with friends and family and sites like Facebook have made it easier than ever. [Daily Mail]
Following the release of its experimental browser last year, Russia’s Yandex has added a suite of new privacy-centric features. The company has switched the software from an alpha to a beta version and has made it the default for international users. In Russia, the browser will remain the experimental alternative to its older browser, but in international markets, users will have the option of private browsing-in part so the company can compete with Google, according to a Yandex spokesperson. Following the alpha release, increased privacy was one of the most requested improvements from users, especially those in Germany, Canada and the U.S. [TechCrunch] See also [Texas: High School Forces Student to Remove Online Photos Under Threat of Suspension] and [Photographer Snaps 100K Pictures in Front of One Shop]
WW – Google’s Internet-Connected Toys Patent Sparks Privacy Concerns
Google’s recently published patent for Internet-connected toys, which have microphones, cameras, speakers and motors, have sparked privacy concerns; the ‘creepy’ anthropomorphic devices might look like a doll or teddy bear, but some people believe it belongs ‘in a horror film’ and have visions of an IoT-version of Chucky. According to a recently published paper: “Treading Beyond the Iota of Fear: eDiscovery of the Internet of Things,” Google didn’t buy Nest “because the smartphone controlled thermostat was cool;” the company knows a great deal “about its users from scanning Gmail accounts and now it will know when individuals are statistically likely to leave their house.” And “by connecting multiple communication devices into a single automated ecosystem, one can create not only a very accurate data map about a person’s part and recent activity, but also dispense a sensory device – robotic or otherwise – to cater to the person’s anticipatory needs. But will you have control over your personal data map?” That paper talks about the legal eDiscovery aspects of the Internet of Things, looking forward at a time when your IoT devices and their data can be used against you in court. [ComputerWorld] [WW – How Google Now Avoids “Creepy,” Apple Aims To Compete]
Korea Communications Commission, which has sweeping powers covering the telecommunications industry, passed a law mandating spyware on the mobile phones of anybody under the age of 18. Unlike countries with similar laws, such as Japan, parents can’t opt out, regardless of any (well-founded) privacy concerns. Not only is there no opt-out, but the law actually stipulates that mobile phone providers nag parents on a monthly basis until they comply. [NakedSecurity] [Prying parental eyes: Phone monitoring apps flourish in S. Korea, new rule orders installation]
WW – Other News
- The Australian government has expanded access to metadata being held under recently passed data retention laws with the introduction of a new bill, and some are saying this is the “scope creep” they were worried about.
- Australian Privacy Commissioner Timothy Pilgrim has gotten an extra $4.2 million in funding to cover resources required to monitor the privacy implications of the government’s data retention scheme.
- In an effort to increase citizen participation in Australia’s Personally Controlled Electronic Health Record program, the government is making overtures to transition from an opt-in method of enrollment to opt-out.
- The Singapore Personal Data Protection Commission’s Leong Keng Thai and Singapore Minister for Communications and Information Yaacob Ibrahim painted a picture of the regulatory environment in Singapore.
- New Zealand Privacy Commissioner John Edwards says he is “getting tougher as a regulator.” Sam Pfeifle reports from the Singaporean Personal Data Protection Commission’s third annual data protection seminar.
- The South African Department of Justice has announced it will begin the process for appointing of an information regulator, the lack of which some have pointed to as holding up the Protection of Personal Information Act that passed 18 months ago.
Sen. Edward Markey (D-MA) has sent letters to the seven major wireless carriers in the U.S., seeking information on the number of law enforcement requests each received in 2013 and 2014, according to a press release. Additionally, Markey wants to know what type of user data law enforcement has been requesting. “America is in the middle of an historic national debate about the legal, constitutional and privacy implications of the mass collection of our telephone information,” he said, adding, “As mobile phones have become 21st-century wallets, personal assistants and navigation devices—tracking each click we make and step we take—we need to know what information is being shared with law enforcement.” [Full Story]
A report from the Department of Justice (DoJ) Office of the Inspector General has revealed that for seven years, the DoJ and the FBI “failed to implement a provision requiring it to create privacy rules for use of an intelligence-gathering tool authorized by the USA PATRIOT Act.” Instead of adopting “minimization” procedures to protect privacy, the DoJ “adopted interim rules,” which the inspector general said “failed to provide FBI agents with specific guidance” on how long to keep “non-public” information about Americans. [WashPost]
Lise Getoor, UC Santa Cruz’s Baskin School of Engineering’s associate dean of research, unveiled her plans for Data, Discovery and Decisions, a “data-driven discovery and decision-making” center for research that will also function as a “forum for researchers in the industry,” the university has announced. “The focus will be on the iterative process of going from data to discovery to decisions, which produces additional data that can be fed back into the process,” Getoor said. “We plan to focus especially on structured and heterogeneous data, such as the data generated by the Internet of Things, or any setting where you want to integrate disparate data from a variety of different sources,” she continued. [Full Story]
The FTC advised companies in a blog post Wednesday that it looks positively on cooperation when conducting investigations into data security breaches. A company that reported a breach on its own and cooperated with law enforcement would be looked on “more favorably” than one that had not, the agency said. “In our eyes, a company that has reported a breach to the appropriate law enforcers and cooperated with them has taken an important step to reduce the harm from the breach,” said Mark Eichorn, assistant director for privacy and identity protection. The post described what companies can expect when the FTC comes to investigate. [The Hill]
The FTC deems bankruptcy an exception to its prohibition on the selling of data, making said information a potential source of revenue—and liability—for dying companies. The idea is to balance a consumer’s privacy rights with the best interests of a debtor’s estate and its creditors in a bankruptcy proceeding, the report states, citing comments by the FTC’s Jamie Hine. Referencing comments by MIT’s Barbara Wixon, the report points out, “CIOs must remember their legal responsibility to keep privacy promises even while carrying out their responsibility to the business to maximize the value of corporate data.” [The Wall Street Journal]
Yahoo has lost a bid to block a lawsuit filed on behalf of millions of Internet users that alleges wiretapping violations in the company’s scanning of email. U.S. District Judge Lucy Koh has granted class-action status to nonsubscribers of the email service “who claim the company mines data from their messaging for advertising purposes,” the report states. Last year, Koh refused to let a similar complaint against Google advance as a class-action. In the Yahoo case, Koh said the plaintiffs established a “real and immediate threat of repeated injury.” Yahoo has not commented on the ruling. [BloombergBusiness]
US – Uber Ups the Privacy Ante with New Hires
Sabrina Ross, formerly of Apple, is joining Uber’s privacy team in the midst of the company’s initiative to improve its privacy processes. “At Uber, she’ll specifically work on privacy aspects of regulatory and policy issues. She’ll also be reviewing the privacy practices of Uber’s partnerships with companies like Spotify, Starwood and American Express’” Ross will be joining the likes of Chief Security Officer Joe Sullivan and Managing Counsel Katherine Tassi, who previously served as Facebook’s head of data protection. The focus on privacy has, according to an Uber report, resulted in improvements. “Uber has dedicated significantly more resources to privacy than we have observed of other companies of its age, sector and size,” the review said. [Re/Code]
The Network Advertising Initiative (NAI) has released new guidelines for member companies that use non-cookie tracking technologies such as digital fingerprinting. Additionally, the NAI says members must also instruct their publishing partners—such as operators of websites where data is collected—to notify users about non-cookie tracking technology, the report states, and the NAI is currently developing an opt-out mechanism that will not rely on setting third-party cookies. Meanwhile, Adblock Plus has launched a browser for Android mobile devices, and a column for ZDNet defends the use of so-called ad-blocking technology. [MediaPost] Also commonly referred to as online behavioral advertising, IBA is online advertising tailored to consumers interests by companies promoting their products or services, accomplished by collecting consumer data across multiple web domains owned or operated by different entities, amassing consumer profiles, and then customizing ads based on the consumers’ interests and web usage patterns using cookie-based and non-cookie based technology. The NAI Code requires notice and choice with respect to IBA and imposes certain restrictions on members’ collection, use and transfer of data used for IBA. …The Guidance makes it very clear that “before a member may use non-cookie technology for IBA, the member must ensure that the requirements set forth in the Guidance have been adequately satisfied.” Although the Guidance is effective as of its publication on May 18, NAI members will have a grace period to implement policies and procedures to comply with the Guidance. [Source]
Major tech companies including Apple and Google and leading cryptologists are urging President Barack Obama to reject any government proposal that alters the security of smartphones and other communications devices so law enforcement can view decrypted data. A coalition of more than 140 tech companies, technologists and civil society groups sent a letter Tuesday to the White House asking it protect privacy as it considers law enforcement’s need to access data that is increasingly encrypted, the report states. “Strong encryption is the cornerstone of the modern information economy’s security,” the letter said. Law enforcement, meanwhile, has been warning about threats to public safety if they can’t access data. [WashPost]
The judgment is the final step in a legal battle begun by Rhodes’ ex-wife, who applied for an injunction on the grounds that Rhodes’ graphic accounts of sexual abuse he had suffered as a child would cause psychological harm to his son, who has been diagnosed with Asperger’s syndrome, attention deficit hyperactivity order, dyspraxia and dysgraphia. …Rhodes’ lawyer, Tamsin Allen of London firm Bindmans, said: ‘In overturning the injunction, the Supreme Court has reaffirmed the fundamental importance of the freedom to speak the truth, even if the truth is brutal or shocking. …Robin Shaw, media law specialist at professional services firm Gordon Dadds, said: ‘If the court had prevented the book’s publication, the decision would have been regarded as a huge interference in the right to publish material about oneself and an extension of privacy laws by the back door.’ [Law Gazette]
US – Brookman to FTC: Let Us Decide If We’re Harmed
“Privacy law in the U.S. is weaker than in most places,” writes the Center for Democracy & Technology’s Justin Brookman, adding, “but hey, at least we’ve got Section 5.” Though it’s based on a law now 100 years old, he notes, it also acts as a baseline, of sorts, preventing consumer deception. “Recently, however,” Brookman writes, “even this weak standard has been called into question-by two sitting commissioners of the FTC, no less. Commissioners Maureen Ohlhausen and Joshua Wright have both indicated that the FTC shouldn’t bring deceptive practices cases against companies absent some objective assessment of consumer harm.” Brookman examines this recent development and describes why such an argument is “an extremely dangerous idea.” [Privacy Perspectives]
Ring is the next generation of the SFLphone project produced by Canadian-based open-source software firm Savoir-faire Linux aimed at giving users a secure VoIP solution. “Ring uses OpenDHT to connect users instead of a centralized SIP server system such as Asterisk,” the report states, which allows Ring “to bypass the server-client methodology by passing along user information to each other.” There’s a growing need for secure communications and “existing solutions are not secure,” the report states, noting services such as Skype and its competitor WhatsApp received poor scores in the Electronic Frontier Foundation’s Secure Messaging Scorecard. [TechRepublic]
In a product review, Think Privacy CEO Alexander Hanff discusses a new social networking site called the Krowd and how it has embraced and built in the principles of Privacy by Design to its services. Distinct from other social sites, Hanff explains, the Krowd runs on local networks where users can create various personas depending on the context of a given social situation. “You can define the Krowd as a dynamic, app-based social network limited to a specific location such as a conference, baseball game or university campus,” Hanff writes. In this post, Hanff describes how this new service works and the potential it could have for users seeking social connection with control. [Privacy Tech]
Automatic is opening an app store so its Bluetooth-enabled car adapter can interact with third parties. The car adapter and accompanying smartphone app allow users to track trips and fuel consumption or locate their parking spots. Now, the Automatic App Gallery will work with Android and iOS, aiming to encourage new apps. “We founded Automatic because we feel that cars weren’t and still aren’t living up to their full potential,” said Automatic Cofounder and CEO Thejo Kote. “They’re basically computers on wheels. They could be doing so much more.” Automatic’s platform uses encrypted and read-only data. [Engadget] see also: [iPhone users’ privacy at risk due to leaky Bluetooth technology]
A paper titled “Building Code for Medical Device Software Security” offers guidance for developers. The purpose of the document “is not to assure that future medical devices can resist every imaginable attack, but rather to establish a consensus among experts … on a reasonable model code for the industry to apply.” [SC Magazine] [CyberSecurity]
Google’s analysis of hundreds of millions of password security questions found that it would be easy for people intent on gaining access to someone’s account to do so. Guesses yielded correct results a surprising amount of the time. Google says that instead of adding more questions, but to update account information to provide a phone number or secondary email address to help prevent accounts from being taken over. [ABC] [GoogleUserContent] [How loving pizza is compromising your online security]
James Trainor, acting assistant director of the FBI’s Cyber Division, said the agency used to learn about a new, large-scale data breach every two or three weeks. “Now, it is close to every two to three days,” Trainor also said the cybersecurity industry needs to “double or triple” its workforce in order to keep up with hacking threats. [The Hill] See also: [UK: Manchester car park lock hack leads to horn-blare hoo-ha]
As Canadian politicians debate a proposed privacy breach notification law, Risk and Insurance Management Society Inc. suggested it supports a “unified standard” south of the border, of rules mandating notification whenever a data security breach results in an unauthorized release of private personal information. “There are currently 47 different state data breach notification laws in place,” RIMS stated in a press release Tuesday of breach notification rules in the United States. “This has proven onerous for commercial insurance buyers whose organizations operate in multiple states and must comply with several different laws whenever a cyber-breach is experienced.” [Canadian Underwriter]
Close to 50% of US financial institutions rank cyber security as their number one concern, according to a survey from the Depository Trust & Clearing Corporation (DTCC), topping geo-political risks and new regulations. The DTCC’s Systemic Risk Barometer Study compiled responses from 250 financial market participants. In last year’s report, just 24% of respondents ranked cyber security as their top concern. [SC Magazine] [Most Web sites have serious vulnerabilities, says report]
Researchers have created a data protection system that would make it more difficult for hackers to obtain passwords from leaked databases. In a research paper submitted for consideration at the 2015 Annual Computer Security Applications Conference, the team of researchers unveiled ErsatzPasswords, which misleads hackers using brute force attacks to unlock hashed passwords. Purdue University’s Mohammed Almeshelkah said adversaries “will still be able to crack that file; however, the passwords they will get back are fake passwords or decoy passwords.” ErsatzPasswords adds an additional step to passwords when they are encrypted, making it impossible to restore them to the original plain-text form. [CIO]
Thieves are exploiting a weakness in Starbucks’ mobile app to steal money from users’ bank accounts. The app can be used to pay at the coffee stores’ checkouts with smartphones and can also be set up to draw money from payment accounts to reload gift cards. The attackers have reportedly been breaking into Starbucks accounts to transfer money from bank accounts using the app’s auto-reload function. Thieves need only the username and password to access the accounts. Starbucks says their system has not been breached, but that the attacks are the result of breaches of access credentials elsewhere and affect people who reuse that information on multiple sites. Consumer advocate Bob Sullivan urges users to disable the auto-reload function. [BobSullivan] [SiliconRepublic] [SC Mag] [Krebs]
While conversations continue around the Kline-Scott discussion draft to amend the Family Educational Rights and Privacy Act (FERPA), Sen. David Vitter (R-LA) has introduced a new FERPA amendment, and Sens. Edward Markey (D-MA) and Orrin Hatch (R-UT) have reintroduced a 2014 amendment. The Data Quality Campaign (DQC) provides this update on student privacy legislation in the U.S., noting that the Vitter bill “is alarmist in its approach to data and privacy and all but guts state Statewide Longitudinal Data Systems.” Also, get more information on the 178 bills DQC is tracking and two new state laws in Georgia and Maryland. [Privacy Tracker]
Sen. Mitch McConnell (R-KY) said he’ll allow a vote on an overhaul of U.S. surveillance programs, meaning the Senate is expected to vote this week on the USA FREEDOM Act, which gives the NSA six months to change its bulk-record collection methods. But, in The Christian Science Monitor, Rachel Brand of the Privacy and Civil Liberties Oversight Board shares concerns over losing Section 215, calling it “an essential investigative tool.” Separately, Bryan Cunningham writes for Politico about the trend toward new spying powers in the EU while the U.S. scales back. And Edward Snowden is the focus of a cover story in The New York Times as disagreements continue over the NSA documents he leaked. “The rest of the documents have been used as a kind of intelligence porn for the rest of the world-’Oooh, look at what NSA is doing,’” former NSA General Counsel Stewart Baker said. [The HIll]
Obama called on the Senate to approve a House-passed bill that would change the phone record collection program while renewing less controversial Patriot Act provisions that also expire at the end of the month. The Senate rejected the House bill by three votes last weekend and is on a break until Sunday, just hours before the spying powers are scheduled to expire. …Paul said the House bill supported by Obama, under which the records would be kept by the phone companies instead of the government, doesn’t go far enough to stop the NSA from getting the data. He argued that Obama should be shutting down the bulk collection of phone records. [Source] [NYTimes]
After hackers posted tracking app mSpy’s “sensitive data”—including text messages and “payment information”—online, Sen. Al Franken (D-MN) is once again urging Congress to pass legislation against such apps. “I believe every American has a fundamental right to privacy, which includes the right to control whether and with whom personal, sensitive information—including location data—is being shared,” Franken wrote. “Such apps not only operate in clear violation of fundamental privacy principles, but the serious danger they pose is well-documented.” The report notes mSpy itself has not yet confirmed the breach. [The Hill]
Calling it a “pilot program” for the NSA, a group of provocateurs hid tape recorders under tables and benches around New York City to record random conversations and then published them on their website, wearealwayslistening.com. A message on the website states, “Eavesdropping on the population has revealed many saying, ‘I’m not doing anything wrong so who cares if the NSA tracks what I say and do?’ … We’ve started with NYC as a pilot program but hope to roll the initiative out all across The Homeland.” Those whose conversations were recorded had no knowledge they were being surveilled, the report states. [Wired]
Model law enforcement drone guidelines: No weapons, limit deployment, keep them in operator’s sight: Police agencies across the nation are increasingly using drones to improve public safety, but need clear operations policies and limits to win public trust, experts said at a law enforcement conference in San Diego. To that end, a model policy on use of drones – or “small unmanned aircraft systems” – was rolled out by the International Association of Chiefs of Police. The policy, which could be adopted or revised by any law agency, sets out specific procedures for deploying a drone, lists restrictions on its use, details how data would be retained or deleted and how operators should be trained. The International Association of Chiefs of Police set out drone-use guidelines for law agencies in 2012 and a committee spent the next three years developing the model policy. Among the rules:
- Drone deployment must be authorized by an executive officer or supervisor.
- Deployments would be to assess the scope of an incident, assist search and rescue, give aerial views for crowd control or temporary perimeter control, to document a crime or accident scene or assist tactical squads.
- Drones would be used only by trained operators within line-of-sight of the device and other FAA rules.
- Flights times, locations, missions and operators should be fully documented.
- Drones should not be equipped with weapons.
- Data should be downloaded securely and not erased or duplicated without written approval.
- Agencies should consider notifying the public when the drone is being used. [Source]
17 states have passed laws to restrict use of craft, but where does private property begin? Many attorneys have cited that 1946 case as a looming dilemma for regulators and the drone industry. They say it poses tough legal questions, such as where does “navigable airspace” begin and the control of property owners end? “We weren’t forced to answer these questions and we absolutely will be now,” said John Villasenor, a public-policy professor at the University of California, Los Angeles. “And I’m quite sure that we collectively don’t have the answers yet.” [WSJ] See also: [The New Jersey Assembly has passed a bill requiring police, in most cases, to get warrants prior to using drones] [The Nevada Senate has passed AB239, which would create regulations for drone use in the state. The bill passed unanimously in the Assembly last month] [South Africa has a new law regulating the use of drones that includes requiring operators to have licenses and prohibiting them from flying drones within 50 meters of crowds] [The South African Civil Aviation Authority plans to introduce new regulations to govern drones; however, Claudia Eisenburg of Norton Rose Fulbright’s Johannesburg office says some of the requirements conflict with potential business applications] and [Here’s a security drone that follows you around (and takes video)] and [UK Criminals Use Drones To Case Burglary Prospects]
The US Federal Communications Commission (FCC) is notifying Internet providers to let them know that they are now subject to stringent privacy regulations. These regulations are attributed to the FCC’s net neutrality rules. Broadband providers are subject to the same rules that protect landline phone service customer data. The providers cannot share customer information with other entities without express permission from the customer. [WashPost] [Factory reset memory wipe FAILS in 500 MEELLION Android [phones]] and [Liquor bottles now can talk to your cellphone]
The FBI has issued a statement regarding US law enforcement use of cell-site simulators, known colloquially as StingRay, the brand name of a particular device. Several recent lawsuits revealed that the FBI has a non-disclosure agreement with local law enforcement agencies and that in at least one case, local law enforcement was urged to drop a case rather than divulge details about the technology’s use. The recent statement from the FBI says that local law enforcement are not prevented from disclosing its use of StingRays, but that “the FBI’s concern is with protecting the law enforcement sensitive details regarding the tradecraft and capabilities of the device.” [ArsTechnica] [WashPost] [DocumentCloud]
Citizen Lab study finds Canadian governments, telecoms lag other countries when it comes to transparency about surveillance. The report also criticizes the government’s “irresponsibility surrounding accountability” with respect to telecommunications surveillance. It warns that that could endanger the development of Canada’s digital economy and breed cynicism among citizens. “Access to our private communications is incredibly sensitive,” said Christopher Parsons, lead author of the study and a postdoctoral researcher at Citizen Lab, which conducts research on information technology in the context of human rights and global security. The report, funded by the Canadian Internet Registration Authority, showed Canadians recognize this and are very concerned. But despite that, evidence suggests governments and law enforcement have been demanding millions of subscriber records from telecom firms in recent years. [CBC]
Some in the broadband industry are confused by the FCC’s guidance on privacy rules that broadband providers will be subject to starting next month. “I’m hesitating because we just found it stunningly unhelpful,” said one telecom lawyer. “And, you know, they’re sort of oblivious to the fact that for years now there’s been this ongoing debate and discussion in Washington and throughout the country on what does privacy mean, what are the core (tenets) of privacy,” the lawyer said, adding, ”to come out and say, ‘well just do that,’ it’s just laughable.” An FCC representative said the advisory was guidance about the agency’s thinking only and not evidence of a new rule or changes to already published rules. [The Hill]
Rand Paul spoke about the bulk collection of data. He spoke about civil forfeiture. He spoke about Section 213 of the Patriot Act, “this whole sneak-and-peek” that allows the government to come into a person’s house. He spoke about criminal justice. And spying. And a 1928 court case. And the Ninth Amendment. Every half-hour or so a new stenographer came over to stand by Paul’s desk, relieving the previous one. Most of all, Paul spoke about how the Patriot Act allows for the collection of bulk surveillance. “We should be in open rebellion, saying enough’s enough,” he said. “Where’s the outrage?” he asked. The chamber was nearly empty, save for a few staffers seated in the back and a security guard standing near the door. Five Senate pages sat on the steps of the dais, looking directly at Paul. One young woman twirled the end of her hair. A young man picked at his cuticles. [WashPost] [Republican presidential nominee Rand Paul attracts odd bedfellows in his talkathon] [NYT: Rand Paul’s Timely Takedown of the Patriot Act] [Rand Paul’s Senate ‘filibuster’: five great points he made about NSA surveillance] [After Rand Paul’s Sort-of Filibuster, What’s Next for Surveillance Reform?] [Rand Paul Speaks 11 Hours Against Patriot Act Renewal] [Patriot Act Phone Snooping Likely To Expire After Mcconnell Gambit Backfires] [Randstand: Republican Presidential Candidate Leads Bipartisan Opposition to Patriot Act] [Fight in Congress to Preserve NSA’s Metadata Program Comes to Naught] [NSA Surveillance Reform Bill Is A Sham That Violates Our Privacy] [National Journal: DoJ: Some NSA Programs Could Shut Down this Week]
The Senate left Washington with the government’s surveillance program in disarray after lawmakers mustered only 57 of the 60 votes needed to pass the House bill. The legislation would stop the N.S.A. from using a section of the Patriot Act to justify collecting reams of so-called metadata from phone companies — information that shows virtually every phone call, the numbers called and the times of the calls. Instead, the phone companies would hold those records, accessible to the N.S.A. through a search warrant. …Some leaders of the House Intelligence Committee, along with supporters in the Senate, hope they can assuage the concerns of Senate Republicans by adding a certification process to ensure that telephone companies had developed the technology they needed to store the reams of data that were now gathered by the government. If the technology could not be certified, a longer transition period would kick in. [NY Times] [Obama Weighs Strategy as Data Laws Run Out]
A bipartisan group of legislators wants to strengthen the Privacy and Civil Liberties Oversight Board (PCLOB). Sens. Ron Wyden (D-OR) and Tom Udall (D-NM) and Reps. Tulsi Gabbard (D-HI) and Trey Gowdy (R-SC) have introduced legislation “to expand the authority of the PCLOB and make its five board seats full-time positions,” the report states, noting that the Strengthening Privacy, Oversight and Transparency Act “would also give the PCLOB the ability to issue subpoenas without having to wait for the Justice Department.” Wyden said, “By giving the board a broader mandate and more authority, Congress can better protect the privacy and civil rights of law-abiding Americans.” [The Hill]
“…The Court finds, under the totality of the unique circumstances of this case, that the imaging and search of the entire contents of Kim’s laptop, aided by specialized forensic software, for a period of unlimited duration and an examination of unlimited scope, for the purpose of gathering evidence in a pre-existing investigation, was supported by so little suspicion of ongoing or imminent criminal activity, and was so invasive of Kim’s privacy and so disconnected from not only the considerations underlying the breadth of the government’s authority to search at the border, but also the border itself, that it was unreasonable. Therefore, the motion to suppress the evidence …. will be granted.” Amy Berman Jackson, Federal judge, US District Court for Washington DC. [NakedSecurity] See also: [Canadian border security: Most travellers aren’t fully screened]
A lack of regulation for the data that products like smart watches and fitness trackers collect could translate into discrimination in the future and experts are calling for regulations, Computerworld reports. Santa Clara University’s Irina Raicu said, “The broader privacy concern is that information collected from various sources is increasingly being combined to create profiles from individual users and draw inferences about their future actions, preferences, etc.” Forrester’s Fatemeh Khatibloo said regulations are needed “to encompass … egregious and discriminatory uses of data.” She added, “It has to be a government role; I don’t think self-regulating trade bodies will do that effectively.” [Full Story]
An amended version of the bipartisan 21st Century Cure Bill, which aims to advance medical innovation, has passed its first Congressional hurdle without any revisions to controversial provisions that would make significant changes to the Health Insurance Portability and Accountability Act Privacy Rule. On May 14, the House Energy and Commerce’s health subcommittee “approved a 302-page ‘markup,’ or amended, version of the 21st Century Cure bill,” which would penalize vendors of electronic health records who fail to meet standards for secure information-exchange, the report states. But some are displeased with the bill. David Holtzman of CynergisTek, for example, says the bill could result in “significant administrative hurdles and burdens.” [Gov Info Security]
Florida Gov. Rick Scott has signed legislation that makes posting “revenge porn” online a crime. Florida now joins another 16 U.S. states with similar laws. The “sexual cyberharassment” bill takes effect October 1, the report states, and “makes it a misdemeanor punishable by up to a year in jail to transmit nude pictures with identifying information about the subject of the images without that person’s consent.” The bill defines “cyberharassment” as distributing such images without consent and with the goal of “causing substantial emotional distress.” Additional offenses would be classified as felonies, the report states, and would carry penalties as high as five years in prison. [Reuters]
Sen. David Vitter (R-LA) has introduced his own version of a student privacy bill, adding to the collection of those already drafted. Vitter’s Student Privacy Protection Act aims to give parents control over how their children’s data is released and used. “Parents are right to feel betrayed when schools collect and release information about their kids,” Vitter said in a statement. “This is real, sensitive information—and it doesn’t belong to some bureaucrat in Washington, DC.” Meanwhile, Sens. Ed Markey (D-MA) and Orrin Hatch (R-UT), wrote an op-ed why their school privacy bill is essential to children’s safety in the Digital Age. [The Hill] See also: [ON: Bishop Horden residential school survivors fight Ottawa in court]
US – Other US Legislative News
- Reports ranking member of the U.S. Senate Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security Sen. Richard Blumenthal (D-CT) says he’s hopeful the Senate can reconcile the multiple data breach measures currently being debated.
- Sen. Kelly Ayotte (R-NH) has signed on to pending legislation introduced by Sens. Patrick Leahy (D-VT) and Mike Lee (R-UT) to update U.S. privacy laws for email and other forms of electronic messaging.
- The Connecticut legislature is debating a bill that would see all of the state’s police officers outfitted with body-worn cameras,
- The New Hampshire Senate has sent legislation that would expand criminal background checks for prospective public school employees back to committee upon pressure from the teachers union.
- Debates continue over the value of the USA PATRIOT Act, but Sen. Mitch McConnell (R-KY) said he’ll allow a vote on an overhaul of U.S. surveillance programs.
- House Homeland Security Chairman Mike McCaul (R-TX) says the USA PATRIOT Act, set to expire June 1, will be renewed by Congress with more privacy protections.
- Sen. Edward Markey (D-MA) has asked the seven major wireless carriers in the U.S. for data on the number of law enforcement requests each received in 2013 and 2014 and what information was requested, according to a press release.
- The Electronic Frontier Foundation has pulled its support from the USA FREEDOM Act, asking for more reforms to be included from the 2013 version of the bill. Tech industry groups are encouraging the bill’s passage, however.
- A bipartisan group of legislators, including Sens. Ron Wyden (D-OR) and Tom Udall (D-NM) and Reps. Tulsi Gabbard (D-HI) and Trey Gowdy (R-SC), wants to strengthen the Privacy and Civil Liberties Oversight Board.
- Washington Gov. Jay Inslee has signed a bill that will require law enforcement to get a judge-approved warrant before deploying stingrays or cell-site simulators.
- Georgia Gov. Nathan Deal has signed the Student Data Privacy, Accessibility and Transparency Act into law, putting controls around the management of student data.
- A bill from Sens. Orrin Hatch (R-UT) and Edward Markey (D-MA). aims to force the hand of educational intuitions to not only alert students and their families that their data is being handled by third parties but also prohibit schools from selling said data.
- Sen. David Vitter (R-LA) has introduced his own version of a student privacy bill to give parents control over how their children’s data is released and used, adding to the collection of those already drafted.
- Maryland Gov. Larry Hogan has signed a law that prohibits officials at higher education institutions from requiring students to give them access to private social media accounts.
- Connecticut Gov. Dannel P. Malloy has signed into law a social media privacy bill prohibiting employers from requiring login information for personal online accounts.
- Despite privacy concerns, the House Committee on Energy and Commence has voted unanimously in favor of the 21st Century Cures bill, which looks to remove the patient consent requirement for covered entities to use protected health information for academic purposes.
- An amended version of the bipartisan 21st Century Cures Bill has passed the House Energy and Commerce’s health subcommittee without any revisions; however, some privacy experts are concerned with provisions that would weaken Health Insurance Portability and Accountability Act privacy protections.
- The FTC advised companies in a blog post that it looks positively on cooperation when conducting investigations into data security breaches.
- Winston and Strawn LLP looks at the April class-action settlement in which Howard Johnson International, Inc., and Wyndham Hotel Group LLC paid $1.5 million after allegedly failing to properly alert customers that their phone conversations were being recorded.
- Illinois data breach legislation HB 1833 is being opposed by the ad industry, which says it creates “unnecessary compliance burdens” for businesses.
- Florida Gov. Rick Scott has signed legislation that makes posting “revenge porn” online a crime, joining another 16 U.S. states.
- Sen. Cory Booker (D-NJ) and Sen. John Hoeven (R-ND) introduced the Commercial UAS Modernization Act, which would set guidelines for unmanned aircrafts systems.
- Sen. Edward Markey (D-MA), together with a group of Democratic senators, has sent the FCC a letter urging it to maintain the privacy provisions within the Telephone Consumer Protection Act.
- A FCC document states it “intends to focus on whether broadband providers are taking reasonable, good-faith efforts to comply with Section 222 rather than focusing on technical details.”
- A coalition of industry trade groups argues in court papers that the FCC’s move to reclassify broadband as a utility will place “immense burdens and costs” on Internet service providers.
- Gov. Chris Christie signed into law a bill that limits access to information collected from vehicle “black boxes.”
- New York Assemblyman Kevin Cahill (R-Kingston) is sponsoring a bill that would let drivers decide whether the Department of Motor Vehicles can sell their data, a practice that currently happens without drivers’ permission.